MyDoom.Y

Details

Summary

A new variant of MyDoom worm - Mydoom.Y, was found on September 14th, 2004. It spreads
in e-mails with different subject and body texts, downloads and activates a backdoor.This
variant was already detected generically as I-Worm.MyDoom.gen. This variant seems
to launch a DDoS attack against www.symantec.com.

Removal

Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming
it.

More scanning & removal options

More information on scanning and removal options available in your F-Secure product
can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:

where "%WinSysDir%" represents Windows System directory, "%WinDir%" the main Windows
folder and "%WinTempDir%" the Windows Temporary files folder.

The worm will also drop a text file named 'About_Mydoom.txt' in the Windows System
folder, with contents refering to the actions performed by the worm, the text in the
file follows:

------------------- About_Mydoom.txt contents ------------------ Contain 1- ATTACK www.symantec.com On Sept 29 2004 starting at 2 2- drops yahoo keylogger that open 4321, http://victim_ip:4321/ 3- drops 2 pictures that will not be showing to the victim 4- drops a downxz.bat which download Bacdoor.Nemog.c 5- drops services.exe , zincite.a 6- Retrieves email addresses from the Outlook address book and files on fixed disks, ram disks, and in the following registry key and folders: %Userprofile%\Local Settings\Temporary Internet Files %Userprofile%\Desktop %Userprofile%\My Documents %Userprofile%\Application Data , etc queries HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name and searches for emails. go and detect the other information. In a difficult world In a nameless time I want to survive So, you will be mine!!,second author Nemog and ZinCite :P¿mnopqrst ------------------- About_Mydoom.txt contents ------------------

Spreading in e-mails

The worm spreads by sending its infected attachment to all e-mail addresses found
on an infected computer. The worm looks for e-mail addresses in Windows Address Book
and in the files with the following extensions:

txt

htm

html

mbx

mdx

xml

jsp

xls

uin

msg

wsh

cgi

eml

cfg

vbs

sht

php

asp

dbx

tbb

adb

wab

The worm avoids sending e-mails to e-mail addresses that contain any of the following
substrings:

avp.

syman

icrosof

panda

sopho

borlan

inpris

example

mydomai

nodomai

ruslis

.gov

gov.

.mil

foo.

berkeley

unix

math

mit.e

gnu

fsf.

ibm.com

kernel

linux

fido

usenet

iana

ietf

rfc-ed

sendmail

arin.

ripe.

isi.e

isc.o

acketst

pgp

tanford.e

utgers.ed

mozilla

The subject of infected e-mails is selected from the following variants:

Re:Help

FW:Hi'

Hello'

Re:Test

Delivery status Notification

Important

Re:Important

FW:Important

Information

FW:Information

Re:Information

Read

FW:Read

Re:Read

Re:Question

Re:Hi

Hi!

News

Re:News

Thanks

Re:Thanks

FW:Thanks

Re:Hello!

Hello

Hello!

FW:Hello

The body text of infected e-mails is selected from the following variants:

test

Please read the important document.

I have attached document.

Waiting for a Response. Please read the attachment.

Thanks!

Please see the attached file for details

Please read the attached file!

Please confirm!

Please answer quickly!

For more details see the attachment.

For further details see the attachment.

Monthly news report.

Virus removal tool

apply this patch!

fun game!

lol!

fun!

See the file.

screensaverlol!

See the file.

Your archive is attached.

check!

Error

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Hello Check the attachment.

Here is the attachment.

:-)

Here is my photo.:-)

+++ Attachment: No Virus found

+++ Attachment: No Infection found

Norton AntiVirus - www.symantec.com

F-Secure AntiVirus - www.f-secure.com

Norman AntiVirus - www.norman.com

Panda AntiVirus - www.pandasoftware.com

Kaspersky AntiVirus - www.kaspersky.com

MC-Afee AntiVirus - www.mcafee.com

Bitdefender AntiVirus - www.bitdefender.com

MessageLabs AntiVirus - www.messagelabs.com

The worm can send itself as an executable attachment or in a ZIP archive with one
of the following names:

Virus

XXX Pictures

XXX Videos

xbox emulator

ps2 emulator

Hotmail hacker

yahoo hacker

klez

SoBig

mydoom

netsky

Upload

crack

Winzip

kazz

Winrar

mirc

pyrnare

SeX

Vaho

Fixtool

Winamp

with any of the following extensions appended:

.exe

.scr

.pif

.bat

SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis